b'                                   SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:   August 19, 2004                                                                Refer To:\n\nTo:     The Commissioner\n\nFrom:   Acting Inspector General\n\nSubject: The Social Security Administration\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security\n        Numbers (A-13-04-24046)\n\n\n        The attached final report presents the results of our audit. Our objectives were to\n        determine the extent of the Social Security Administration\xe2\x80\x99s internal use of employees\xe2\x80\x99\n        Social Security numbers (SSN) and to evaluate the safeguards used within the Agency\n        to protect the confidentiality of these SSNs.\n\n        Please provide within 60 days a corrective action plan that addresses each\n        recommendation. If you wish to discuss the final report, please call me or have your\n        staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n        (410) 965-9700.\n\n\n\n\n                                                           S\n                                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n        Attachment\n\x0c           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n       THE SOCIAL SECURITY\n        ADMINISTRATION\xe2\x80\x99S\n   INTERNAL USE OF EMPLOYEES\xe2\x80\x99\n    SOCIAL SECURITY NUMBERS\n\n    August 2004   A-13-04-24046\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                               Executive Summary\nOBJECTIVE\n\nOur objectives were to determine the extent of the Social Security Administration\xe2\x80\x99s\n(SSA) internal use of employees\' Social Security numbers (SSN), and to evaluate the\nsafeguards used within the Agency to protect the confidentiality of these SSNs.\n\nBACKGROUND\n\nThe SSN was created in 1936 as a means of tracking workers\' earnings and eligibility\nfor Social Security benefits. Nevertheless, over the years, the SSN has become a\nde facto national identifier used by Federal agencies, State and local governments, and\nprivate organizations. The expanded use of the SSN as a national identifier provides a\ntempting motive for unscrupulous individuals to acquire an SSN and use it for illegal\npurposes.\n\nFederal agencies frequently ask individuals for their SSNs because, in certain\ninstances, the law requires that they do so or SSNs provide a convenient means of\ntracking and exchanging information. Federal agencies have a responsibility to limit the\nrisk of unauthorized disclosure of SSNs. Although no single Federal law regulates\noverall use and disclosure of SSNs by Federal agencies, the Freedom of Information\nAct of 1966, the Privacy Act of 1974, and the Social Security Act Amendments of\n1990 generally govern disclosure and use of SSNs.\n\nRESULTS OF REVIEW\n\nThe SSN is used extensively within SSA\xe2\x80\x99s systems and documents to identify its\nemployees. Further, SSA has some safeguards in place to protect the confidentiality\nof its employees\xe2\x80\x99 SSNs. However, SSA needs to enforce current policies to ensure\nSSA employees\xe2\x80\x99 SSNs are protected.\n\nCONCLUSION AND RECOMMENDATIONS\n\nSSA\xe2\x80\x99s extensive use of employee SSNs in its systems and documents increases the\nrisk that the employee SSN may be accessed by unauthorized personnel. SSA has\nmitigated this through some safeguards, but additional actions are needed. With the\nincreasing impact of identity theft on the public and economy, and as the issuer of\nSSNs, SSA should be the model for both the public and private sectors by taking the\nleadership role in protecting SSNs, including those of its employees.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                   i\n\x0cWe recommend SSA:\n\n   \xe2\x80\xa2   Remind employees to secure any system or document containing employee\n       SSNs when these systems or documents are not being used.\n\n   \xe2\x80\xa2   Consider using asterisks, if determined to be cost-effective, to hide the employee\n       SSN on computer screens and reports in all existing and future systems.\n       Asterisks are currently used in the Mainframe Time and Attendance System to\n       hide the employee SSN.\n\n   \xe2\x80\xa2   Identify the forms that request the employee\xe2\x80\x99s SSN. If the SSN is not required,\n       eliminate its use on these forms.\n\n   \xe2\x80\xa2   Determine if it is cost beneficial to use an alternative primary identifier for its\n       employees, such as the one used in the On-Line University, for all future SSA\n       systems. If determined to be cost-beneficial, then implement an alternative\n       primary identifier.\n\n   \xe2\x80\xa2   Consider and use, as indicated in Agency policy, encryption if feasible and not\n       cost prohibitive.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. Further, the Agency agreed that it needed to\nexercise due diligence in protecting employee SSNs. The Agency noted that unlike the\nprivate sector, it is bound by Executive Order 9397 and the 1961 Civil Service\nCommission directives, which mandate the use of SSNs as the identifier of Federal\nemployees. As a result, the Agency states that until such time as both directives are\nrescinded or modified, it is required to use the SSN as the employee identifying number.\n\nAlso, in its response to Recommendation 5, the Agency believes it is already in\ncompliance with the intent of our recommendation. The Agency indicates the use of\ndedicated lines and Connect Direct when transmitting payroll information to the\nDepartment of Interior complies with its policy concerning the transmission of sensitive\ndata outside the Agency. The text of SSA\xe2\x80\x99s comments is included in Appendix D.\n\nOIG RESPONSE\n\nWe agree the Agency is in compliance with its policy concerning the transmission of\nsensitive data outside the Agency. Additionally, we agree the use of dedicated lines,\nConnect Direct, or other secure transport mechanism(s) will provide some level of\nsecurity for the transmitted data. However, we believe the Agency should also encrypt\nthis sensitive data when transmitted outside the Agency. Data encryption would provide\nan additional level of security.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                     ii\n\x0c                                                                 Table of Contents\n                                                                                                              Page\nINTRODUCTION.....................................................................................................1\n\nRESULTS OF REVIEW ..........................................................................................3\n\n      SSNs Are Used Extensively by SSA to Identify Its Employees .......................3\n\n      SSA Has Implemented Some Safeguards to Protect the Confidentiality of\n      Its Employees\xe2\x80\x99 SSNs.......................................................................................4\n\n      SSA Needs to Ensure Policies Protecting Employees\xe2\x80\x99 SSNs are\n      Being Enforced................................................................................................6\n\nCONCLUSIONS AND RECOMMENDATIONS.......................................................7\n\nAPPENDICES\n\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Background, Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Prior Office of the Inspector General Review\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)\n\x0c                                                                         Introduction\nOBJECTIVE\n\nOur objectives were to determine the extent of the Social Security Administration\xe2\x80\x99s\n(SSA) internal use of employees\xe2\x80\x99 Social Security numbers (SSN) and to evaluate the\nsafeguards used within the Agency to protect the confidentiality of these SSNs.\n\nBACKGROUND\n\nThe SSN was created in 1936 as a means of tracking workers\' earnings and eligibility\nfor Social Security benefits. However, over the years, the SSN has become a de facto\nnational identifier used by Federal agencies, State and local governments, and private\norganizations. The expanded use of the SSN as a national identifier provides a\ntempting motive for unscrupulous individuals to acquire an SSN and use it for illegal\npurposes.\n\nFederal agencies frequently ask individuals for their SSNs because, in certain\ninstances, the law requires that they do so or SSNs provide a convenient means of\ntracking and exchanging information. While a number of laws and regulations require\nthe use of SSNs for various Federal programs, they generally also impose limitations on\nhow those SSNs may be used. Federal agencies have a responsibility to limit the risk\nof unauthorized disclosure of SSNs. Although no single Federal law regulates overall\nuse and disclosure of SSNs by Federal agencies, the Freedom of Information Act of\n1966,1 the Privacy Act of 1974,2 and the Social Security Act Amendments of 1990\ngenerally govern disclosure and use of SSNs.\n\nFederal Trade Commission Survey on Identity Theft\n\nAccording to the Federal Trade Commission\xe2\x80\x99s (FTC) September 2003 survey report on\nidentity theft \xe2\x80\x9c\xe2\x80\xa6a total of 4.6 percent of survey participants indicated that they had\ndiscovered they were victims of identity theft in the past year.\xe2\x80\x9d 3 The report also\nindicated the results of the survey suggest almost 10 million Americans have discovered\nthat they were victims of some form of identity theft within the last year.4\n\n\n\n\n1\n  The Freedom of Information Act, 5 U.S.C. \xc2\xa7 552.\n2\n  The Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a.\n3\n  FTC \xe2\x80\x93 Identity Theft Survey Report, September 2003. The report, which interviewed 4,057 U.S. adults,\nwas prepared by Synovate, a research firm hired by the FTC. Identity theft occurs when someone uses\nyour personal information, such as your name, SSN, credit card number or other identifying information,\nwithout your permission to commit fraud or other crimes. The FTC website:\nhttp://www.consumer.gov/idtheft/.\n4\n  id.\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                              1\n\x0cIt was estimated that within the last 5 years, approximately 27 million Americans were\nvictims of identity theft.5 The total loss to businesses last year due to identity theft was\nnearly $48 billion, and the loss to consumers was $5 billion.6\n\nApplicable Federal Criteria\n\nExecutive Order 9397, which provides SSA the authority to request an individual\xe2\x80\x99s\nSSN, states, \xe2\x80\x9c\xe2\x80\xa6whenever the head thereof finds it advisable to establish a new system\nof permanent account numbers pertaining to individual persons, utilize exclusively the\nSocial Security Act account number.\xe2\x80\x9d 7 Moreover, the Privacy Act of 1974 requires that\nSSA \xe2\x80\x9c\xe2\x80\xa6maintain in its records only such information about an individual as is relevant\nand necessary to accomplish a purpose of the agency required to be accomplished by\nstatute or by Executive Order of the President.\xe2\x80\x9d 8\n\nFurther, the Privacy Act of 1974 regulates Federal agencies\xe2\x80\x99 collection, maintenance,\nuse and disclosure of personal information maintained by agencies in a system of\nrecords.9 It requires agencies to establish appropriate administrative, technical and\nphysical safeguards to ensure the security and confidentiality of records and to protect\nagainst any anticipated threats or hazards to their security or integrity, which could\nresult in substantial harm, embarrassment, inconvenience or unfairness to any\nindividual on whom information is maintained.\n\nThe Social Security Board \xe2\x80\x93 Regulation Number 1 states, \xe2\x80\x9cIt being found by the Social\nSecurity Board that the public interest and the efficient administration of the functions\nwith which the Board is charged under the Social Security Act require that the\nconfidential nature of all wage records and other records or information in possession of\nthe Board, pertaining to any person, be preserved.\xe2\x80\x9d10\n\nSSA policy states that an approach must be taken \xe2\x80\x9c\xe2\x80\xa6to ensure personal data entrusted\nto SSA is not compromised, abused or misused by the public or our own employees.\xe2\x80\x9d 11\nFor additional background information, see Appendix B.\n\n\n\n\n5\n  id.\n6\n  id.\n7\n  Executive Order 9397, November 22, 1943.\n8\n  5 U.S.C. \xc2\xa7 552a.\n9\n  A system of records is a group of records under the control of any agency from which information is\nretrieved by the name of the individual or by some identifying number, symbol, or other identifying\nparticular assigned to the individual.\n10\n   Social Security Board Regulation Number 1, adopted June 15, 1937.\n11\n   Social Security Administration Information Systems Security Handbook, Chapter 1, February 2001.\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                                2\n\x0c                                                          Results of Review\nThe SSN is used extensively within SSA\xe2\x80\x99s systems and documents to identify its\nemployees. Further, SSA has some safeguards in place to protect the confidentiality of\nits employees\xe2\x80\x99 SSNs. However, SSA needs to enforce current policies to ensure SSA\nemployees\xe2\x80\x99 SSNs are protected.\n\nSSNs ARE USED EXTENSIVELY BY SSA TO IDENTIFY ITS\nEMPLOYEES\nThe SSN is used extensively within SSA\xe2\x80\x99s systems and documents to identify its\nemployees. The SSN is used as the primary identifier for employees in SSA\xe2\x80\x99s\ntravel, training, time and attendance, and other human resources management\ninformation systems and documents.12 For example, the SSN is used in SSA\xe2\x80\x99s Human\nResources Management Information System (HRMIS)13 to identify its employees\xe2\x80\x99\npersonnel actions, and in the Mainframe Time and Attendance System (MTAS) for\nprocessing employee pay and leave information. Employee SSNs are also used on\nSSA forms, such as Training Nomination and Authorization, Travel Voucher, and\nAdministrative Time and Leave Record.14 Additionally, the employee SSN is requested\non various Office of Personnel Management (OPM) forms.15 These forms are\npre-approved by OPM and are used to add and update employee personnel records.\n\nFurther, SSA transmits data containing employee SSNs outside the Agency. SSA\npersonnel stated that the employee SSN is required to interface with other agencies\xe2\x80\x99\ncomputer systems. For example, SSA transmits employee payroll information to the\nDepartment of Interior (DOI)16 and employee benefit program changes to the OPM\nusing SSNs to identify employees.\n\n\n\n\n12\n   Travel Manager, Version 8.1, The Office of Training data, and the Agency\xe2\x80\x99s Mainframe and Attendance\nSystem all use employee SSNs as the primary identifier.\n13\n   HRMIS is a database that is used for multiple purposes to include personnel research and program\nevaluation, management information, equal opportunity statistics, and internal and external reporting.\n14\n   SSA352-U10 (Training Nomination and Authorization), SF 1012 (Travel Voucher), and SSA 2042\n(Administrative Time and Leave Record).\n15\n   Examples of OPM approved forms are \xe2\x80\x9cHealth Care Election Form\xe2\x80\x9d (SF 2809), and \xe2\x80\x9cRequest for\nPersonnel Action\xe2\x80\x9d (SF 52).\n16\n   DOI\xe2\x80\x99s Payroll Operations Division provides payroll services for several Government agencies including\nSSA.\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                               3\n\x0cSSA\xe2\x80\x99s extensive use of employee SSNs in its systems and documents increases the\nrisk that the employee SSN may be accessed by unauthorized personnel. Therefore,\nthe Agency must have the appropriate and cost-effective safeguards in place to protect\nthe confidentiality of its employees\xe2\x80\x99 SSNs.\n\nSSA HAS IMPLEMENTED SOME SAFEGUARDS TO PROTECT THE\nCONFIDENTIALITY OF ITS EMPLOYEES\xe2\x80\x99 SSNs\nSSA has some safeguards in place to protect the confidentiality of its employees\xe2\x80\x99 SSNs.\nDuring our review, we observed security controls17 for many of SSA\xe2\x80\x99s systems and\ndocuments that contain Agency employees\xe2\x80\x99 SSNs. These systems and documents\ncontain sensitive information.18 For example, HRMIS and MTAS require employees to\nobtain multiple levels of management approval19 before being granted access to these\napplications. Further, MTAS will not display the employee\xe2\x80\x99s SSN on computer screens\nor printed reports.20\n\nMoreover, these human resources management information systems require users to\nobtain personal identification numbers and passwords. Personal identification numbers\nand initial passwords are provided by SSA. Users\xe2\x80\x99 passwords are encrypted, and users\nare required to change their password at least every 30 days. If an individual should\nobtain unauthorized system access, certain systems produce violation reports, which\nare reviewed by SSA management.\n\nIn addition to safeguarding data contained in its systems, the Agency is required to\nsafeguard the confidentiality of sensitive information it transmits to other Federal,\nState, and local governments. SSA policy states, \xe2\x80\x9c\xe2\x80\xa6in all instances where SSA data is\ntransmitted outside of SSA, encryption must be considered and used if feasible and not\ncost prohibitive.\xe2\x80\x9d 21\n\n\n\n\n17\n   Security controls refer to policies and measures that ensure confidentiality, integrity, and availability of\nthe information processed and stored by a computer. For example, physical security controls concerns\nthe use of locks, guards, badges, alarm systems, and related administratively controlled measures to\nprotect a structure or facility against unauthorized entry and measures to detect and minimize damage\nfrom accident, fire and environmental hazards.\n18\n   Sensitive information refers to information, the loss or misuse, or unauthorized access to or\nmodification of which could adversely affect the national interest or the conduct of Federal programs, or\nthe privacy to which individuals are entitled to under 5 U.S.C. Section 552a (the Privacy Act), but that has\nnot been specifically authorized under criteria established by an Executive Order or an Act of Congress to\nbe kept secret in the interest of national defense or foreign policy. For example, SSA\xe2\x80\x99s employees\xe2\x80\x99 Social\nSecurity number, address, and birth date.\n19\n   Forms SSA-613-U5, Top Secret Resource Access Authorization, and SSA-120-U3, Application for\nAccess to SSA Systems must be completed and management approved.\n20\n   Asterisks are used to denote employee SSNs.\n21\n   SSA Information Systems Security Handbook, Appendix H, September 2003. Encryption denotes\nconversion of a plain text, formula, combination or entry code into unintelligible form through the use of\nalgorithms and keys. Encryption may be performed either by hardware or software.\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                                     4\n\x0cWe also observed physical security controls within several SSA components. Most of\nthe areas observed were secure. The rooms and cabinets were locked. These rooms\nand cabinets house documents containing sensitive information including SSA\nemployees\xe2\x80\x99 SSNs.\n\nBesides the physical and computer security controls, SSA also has a computer security\nawareness program. The Computer Security Act of 198722 requires every Federal\nagency to provide periodic training in computer security awareness and security\npractices for all employees involved with the management, use, or operation of\ncomputers within the agency. SSA has developed a security awareness, training, and\neducation program to assist management in complying with the Computer Security Act.\nSSA distributes pamphlets, Commissioner\xe2\x80\x99s bulletins, desk-to-desk bulletins, and videos\nto enhance employee security awareness.\n\nWe discussed with SSA management the possibility of eliminating the use of the\nemployee SSN as a primary identifier in Agency systems and forms. SSA management\nstated it would not be cost-effective to eliminate the SSN in its existing systems.\nFurther, SSA management noted many of its forms that require the SSN are mandated\nby OPM. Agency management explained it would be cost prohibitive to change its\nexisting systems to enable the use of another primary identifier instead of the SSN.\nHowever, there have been no studies reflecting the cost of updating SSA\xe2\x80\x99s existing\nsystems.\n\nAlthough SSA management rejects the elimination of the SSN as a primary identifier,\nthe Agency has taken steps to reduce its use of employees\xe2\x80\x99 SSNs. For example, some\nSSA managers encourage employees not to provide their SSN on leave slips and\ntimesheets. Both of these forms request the employee SSN, but the employees\xe2\x80\x99 SSNs\nare not necessary for processing these forms. Additionally, SSA has developed certain\nsystems that allow employees to process personal information without supplying their\nSSN. For example, SSA\xe2\x80\x99s \xe2\x80\x9cOn-Line University\xe2\x80\x9d system uses the SSN to interface with\nHRMIS. However, SSA\xe2\x80\x99s \xe2\x80\x9cOn-Line University\xe2\x80\x9d system allows SSA employees to use a\nunique identifier other than the SSN, to enroll in on-line training courses.\n\nWe believe the safeguards implemented by the Agency lowers the risk that the\nemployee SSN may be compromised. Nevertheless, SSA needs to enforce its policies\nto ensure the employee SSN is protected.\n\n\n\n\n22\n     Public Law 100-235.\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)              5\n\x0cSSA NEEDS TO ENSURE POLICIES PROTECTING EMPLOYEES\xe2\x80\x99 SSNs\nARE BEING ENFORCED\nAlthough SSA has some policies in place to protect the confidentiality of its employees\xe2\x80\x99\nSSN, additional enforcement of these policies is needed. During our review, we\nobserved documents containing employees\xe2\x80\x99 SSNs filed in unlocked cabinets, which\ncould be accessed by unauthorized personnel. For example, an Automated Clearing\nHouse report, which contains employees\xe2\x80\x99 SSNs, bank account numbers, bank routing\nnumbers, and employee names, was stored in an unlocked file cabinet in an unlocked\narea. We visited the unsecured area after normal duty hours23 and accessed the report\nfrom the file cabinet. In addition, we found other employee files containing sensitive\nemployee information in unlocked cabinets in an unlocked room. We were able to\naccess these files while employees were working in the area.\n\nFurther we observed, on several occasions, documents containing employee SSNs\nlying on tables. These documents contained employee SSNs and Internal Revenue\nService wage information. We also observed information on computer screens which\ncontained employees\xe2\x80\x99 SSNs. Occasionally, this information was printed and faxed to\nemployees. For example, an employee can request travel status information, which is\nprinted from a computer screen and faxed to the employee. This creates a risk that\nunintended employees may have access to an employee\xe2\x80\x99s SSN.\n\nWe also found instances where the employee SSN is requested on various forms.24\nAlthough SSA is limited in its ability to eliminate the SSN on many forms, we believe\nSSA has an opportunity to work within existing laws, regulations, and policies to identify\nand eliminate the SSN on forms where the SSN is not required. Further, we observed\ninvoices from an external entity, which displayed SSA employee names, addresses and\nSSNs.\n\nThrough discussions with staff in the Office of Telecommunications and Systems\nOperations, Division of Network Engineering, we determined not all sensitive data\ntransmitted externally to other entities are encrypted. SSA transmits employee payroll\ninformation to the DOI. However, those data are not encrypted. Staff in the Office of\nTelecommunications and Systems Operations explained they are investigating whether\nDOI has the software to facilitate the transmission of encrypted data between SSA and\nDOI.\n\nWe believe these deficiencies are potential security risks. Employees who do not have\na \xe2\x80\x9cneed to know\xe2\x80\x9d25 may have access to sensitive employee information including the\nSSN. This information may be used by unscrupulous employees to acquire an SSN\nand use it for illegal purposes.\n\n23\n   Normal duty hours are 6:00 a.m. to 6:00 p.m.\n24\n   SSA-71 Application for Leave; SSA-2042 Administrative Time & Leave Record; SSA-170 Employee\nSuggestion Form.\n25\n   The legitimate requirement of a person or organization to know, access, or possess sensitive or\nclassified information that is critical to the performance of an authorized, assigned mission.\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                             6\n\x0c                                                   Conclusions and\n                                                  Recommendations\nSSA\xe2\x80\x99s extensive use of employee SSNs in its systems and documents increases the\nrisk that the employee SSN may be accessed by unauthorized personnel. SSA has\nmitigated this through some safeguards, but additional actions are needed. With the\nincreasing impact of identity theft on the public and economy, and as the initiator of\nSSNs, SSA should become the model for both the public and private sectors by taking\nthe leadership role in protecting SSNs, including those of its employees.\n\nWe recommend SSA:\n\n   1. Remind employees to secure any system or document containing employee\n      SSNs when these systems or documents are not being used.\n\n   2. Consider using asterisks, if determined to be cost-effective, to hide the employee\n      SSN on computer screens and reports in all existing and future systems.\n      Asterisks are currently used in the Mainframe Time and Attendance System to\n      hide the employee SSN.\n\n   3. Identify the forms that request the employee\xe2\x80\x99s SSN. If the SSN is not required,\n      eliminate its use on these forms.\n\n   4. Determine if it is cost beneficial to use an alternative primary identifier for its\n      employees, such as the one used in the On-Line University, for all future SSA\n      systems. If determined to be cost-beneficial, then implement an alternative\n      primary identifier.\n\n   5. Consider and use, as indicated in Agency policy, encryption if feasible and not\n      cost prohibitive.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. Further, the Agency agreed that it needed to\nexercise due diligence in protecting employee SSNs. The Agency noted that unlike the\nprivate sector, it is bound by Executive Order 9397 and the 1961 Civil Service\nCommission directives, which mandate the use of SSNs as the identifier of Federal\nemployees. As a result, the Agency states that until such time as both directives are\nrescinded or modified, it is required to use the SSN as the employee identifying number.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                    7\n\x0cAlso, in its response to Recommendation 5, the Agency believes it is already in\ncompliance with the intent of our recommendation. The Agency indicates the use of\ndedicated lines and Connect Direct when transmitting payroll information to the DOI\ncomplies with its policy concerning the transmission of sensitive data outside the\nAgency. The text of SSA\xe2\x80\x99s comments is included in Appendix D.\n\nOIG RESPONSE\n\nWe agree the Agency is in compliance with its policy concerning the transmission of\nsensitive data outside the Agency. Additionally, we agree the use of dedicated lines,\nConnect Direct, or other secure transport mechanism(s) will provide some level of\nsecurity for the transmitted data. However, we believe the Agency should also encrypt\nthis sensitive data when transmitted outside the Agency. Data encryption would provide\nan additional level of security.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)              8\n\x0c                                           Appendices\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)\n\x0c                                                                           Appendix A\nAcronyms\n DOI               Department of Interior\n\n FTC               Federal Trade Commission\n\n GAO               Government Accountability Office\n\n HRMIS             Human Resources Management Information System\n\n MTAS              Mainframe Time and Attendance System\n\n OIG               Office of the Inspector General\n\n OPM               Office of Personnel Management\n\n SSA               Social Security Administration\n\n SSN               Social Security Number\n\n U.S.C.            United States Code\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)\n\x0c                                                                                Appendix B\nBackground, Scope and Methodology\nGovernment Accountability Office\n\nThe Government Accountability Office, formerly known as the General Accounting\nOffice (GAO), found1 that in the course of using Social Security numbers (SSN) to\nadminister programs and as employers, Federal agencies sometimes display SSNs on\ndocuments, such as eligibility cards or employee badges. As a result, the SSNs can be\nseen by others who may not have a need to know. GAO also found that, when\nrequesting SSNs, agencies are not consistently providing individuals with information\nrequired by Federal law.2 Although agencies that use SSNs to provide benefits and\nservices are taking steps to safeguard the numbers from improper disclosure, GAO\nidentified potential weaknesses in the security of information systems at all levels of\nGovernment.\n\nOffice of the Inspector General\n\nIn December 2002, the Office of the Inspector General reported,3 \xe2\x80\x9c\xe2\x80\xa6although the\nSocial Security Administration (SSA) has controls over the access, disclosure and use\nof SSNs by external entities, there was concern about the Agency\'s exposure to\nimproper SSN attainment and misuse.\xe2\x80\x9d There were several instances in which SSA\npersonnel unnecessarily displayed SSNs on documents sent to external entities that\nmay not have had a need to know. In addition, there were instances in which SSA\npersonnel were not adequately monitoring contractors\' access and use of SSNs.\n\nScope and Methodology\n\nTo accomplish our objectives, we:\n\n    \xe2\x80\xa2   Identified and reviewed applicable laws and regulations;\n    \xe2\x80\xa2   Identified and reviewed relevant SSA policies and procedures;\n    \xe2\x80\xa2   Identified and reviewed prior relevant audits;\n    \xe2\x80\xa2   Interviewed SSA personnel responsible for controls over the use of SSNs;\n    \xe2\x80\xa2   Identified and reviewed pertinent SSA employee forms that include SSNs;\n    \xe2\x80\xa2   Identified and reviewed pertinent SSA employee forms that include unique\n        identifiers other than SSNs;\n\n\n\n\n1\n  Social Security Numbers \xe2\x80\x93 Government Benefits from SSN Use but Could Provide Better Safeguards,\nGAO-02-352, May 2002.\n2\n  The Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a.\n3\n  Review of Social Security Administration\'s Controls Over the Access, Disclosure, and Use of Social\nSecurity Numbers by External Entities, (A-08-02-22071), December, 2002. See Appendix C.\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                          B-1\n\x0c   \xe2\x80\xa2   Determined the Agency\xe2\x80\x99s internal usage of SSNs; and\n   \xe2\x80\xa2   Observed the safeguards implemented by the Agency.\n\nWe performed our review at SSA Headquarters in Baltimore, Maryland. The entities\nreviewed were the Office of Personnel, and Office of Training within the Office of\nHuman Resources; the Office of the Chief Information Officer; the Office of Public\nDisclosure within the Office of General Counsel; and the Office of Financial Policy and\nOperations within the Office of Finance, Assessment and Management. We performed\nour audit from September 2003 through January 2004 in accordance with generally\naccepted government auditing standards.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)            B-2\n\x0c                                                                           Appendix C\nPrior Office of the Inspector General Review\n\nReview of Social Security Administration\xe2\x80\x99s Controls over the\nAccess, Disclosure, and Use of Social Security Numbers by\nExternal Entities (A-08-02-22071), issued December 30, 2002\n\nTo view the appendices for this report, please visit our web site at\nwww.socialsecurity.gov/oig/ or click on the following link\nhttp://www.socialsecurity.gov/oig/ADOBEPDF/A-08-02-22071.pdf. If you do not have\naccess to the Internet, you may request a copy of the report by contacting the Office of\nthe Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 966-1375.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)\n\x0c                                                                           Appendix D\nAgency Comments\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)\n\x0c                                     SOCIAL SECURITY\n\n\nMEMORANDUM                                                                          33255-24-1142\n\n\n        July 27, 2004                                                        Refer To: S1J-3\n\nTo:     Patrick P. O\'Carroll, Jr.\n        Acting Inspector General\n\nFrom:   Larry W. Dye /s/\n        Chief of Staff\n\nSubject: Office of the Inspector General (OIG) Draft Report "Social Security Administration\'s\n        Internal Use of the Social Security Number" (A-13-04-24046)--INFORMATION\n\n\n        We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report\n        content and recommendations are attached.\n\n        Please let me know if you have any questions. Staff inquiries may be directed to\n        Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n        Attachment:\n        SSA Response\n\n\n\n\n        SSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S (SSA) INTERNAL USE OF\nEMPLOYEES\xe2\x80\x99 SOCIAL SECURITY NUMBERS (SSN)\xe2\x80\x9d (A-13-04-24046)\n\n\nThank you for the opportunity to review and comment on the subject report. We\nappreciate OIG\xe2\x80\x99s continuing efforts to identify opportunities to minimize improper\ndisclosure of our employees\xe2\x80\x99 SSNs. We agree that we need to exercise due diligence in\nprotecting the SSNs of our employees; however, unlike the private sector, we are bound\nby the 1943 Executive Order number 9397 and the 1961 Civil Service Commission (now\nknown as the Office of Personnel Management) directives, both of which mandate the\nuse of the SSN as the identifier of Federal employees. Therefore, until such time as\nboth directives are rescinded or modified, we are required to use the SSN as the\nemployee identifying number. From an overall security perspective, we recognize that\nlimiting the display of an employee\xe2\x80\x99s SSN is a prudent measure, and will consider doing\nso as time and resources allow. Our responses to the specific recommendations are\nprovided below:\n\nRecommendation 1\n\nSSA should remind employees to secure any system or document containing employee\nSSNs when these systems or documents are not being used.\n\nResponse\n\nWe agree. Our Office of Systems Security Operations Management and the Agency\xe2\x80\x99s\nChief Security Officer already issue periodic and ad hoc bulletins to SSA employees\nconcerning systems security matters. Generally, the bulletins focus on systems security\nissues impacting a wide range of users and developers, or are applicable to the entire\nAgency. We have established systems security policies and procedures that require a\nsuite of controls over systems that contain sensitive data, such as SSA clients\' SSNs\nand SSA employee SSNs. The Information Systems Security Handbook, and Agency\npolicy governing systems development (i.e., the Systems Development Life Cycle)\nrequire documentation of security risk, security plans to address those risks, access\ncontrols, audit trails, and other controls in the development of SSA systems. Since\nthere are no findings that indicate these policies and procedures are not being followed,\nwe believe the existing processes are effective.\n\nWe recognize that the functions described above are not substitutes for staff taking\nresponsibility for the security of the data they manage and the systems they develop,\nwhether programmatic or administrative, and whether the data is handled electronically\nor by hardcopy. Therefore, we will take steps to ensure managers and staff adhere to\nthe existing procedures and handling of documents associated with administrative\nactivities.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)             D-2\n\x0cRecommendation 2\n\nSSA should consider using asterisks, if determined to be cost-effective, to hide the\nemployee SSN on computer screens and reports in all existing and future systems.\nAsterisks are currently used in the Mainframe Time and Attendance System to hide the\nemployee SSN.\n\nResponse\n\nWe agree that from an overall security perspective, the use of asterisks to mask on-\nscreen SSNs is a prudent protection measure. We will consider the costs and benefits\nof using asterisks during the development of future systems enhancements.\n\nRecommendation 3\n\nSSA should identify the forms that request the employee\xe2\x80\x99s SSN. If the SSN is not\nrequired, eliminate its use on these forms.\n\nResponse\n\nWe agree that from an overall security perspective the elimination of the collection of\nSSNs on forms where it is not required is a prudent protection measure. As we review\nand modify internal forms in the future, we will consider the continuing need to capture\nthe SSN.\n\nRecommendation 4\n\nSSA should determine if it is cost beneficial to use an alternative primary identifier for its\nemployees, such as the one used in the On-Line University for all future SSA systems.\nIf determined to be cost-beneficial, then implement an alternative primary identifier.\n\nResponse\n\nWe agree. However, as noted above, we are bound by the Executive Order number\n9397 and Civil Service Commission (now known as the Office of Personnel\nManagement) mandate to use the SSN as the identifying number for Federal\nemployees. In the future, on a case-by-case basis, we will assess the feasibility of\nusing an alternative primary identifier such as the one used in the On-Line-University.\n\nRecommendation 5\n\nSSA should consider and use, as indicated in Agency policy, encryption if feasible and\nnot cost prohibitive.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)                   D-3\n\x0cResponse\n\nWe agree. However, we believe we are already in compliance with the intent of the\nrecommendation. Our current policy (published in 2003 - Appendix H of the Systems\nSecurity Handbook) states:\n\n    In all instances where SSA data is transmitted outside of SSA, encryption must be\n    considered and used if feasible and not cost prohibitive.\n\n    Any sensitive data transmitted outside of SSA\xe2\x80\x99s firewall must be encrypted. This is\n    to be accomplished by dedicated lines, use of connect direct or other secure\n    transport mechanism(s). The method of transport used is dependent upon the\n    application, data transmitted and the receiving party.\n\nBecause we currently use dedicated lines and Connect Direct when transmitting payroll\ninformation to the Department of Interior (the example cited in the report), we believe\nthat we are in compliance with the policy as written.\n\n\nIn addition to the items listed above, SSA also provided technical comments, which\nhave been addressed, where appropriate, in this report.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)             D-4\n\x0c                                                                           Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n  Shirley E. Todd, Director, General Management Audit Division, (410) 966-9365\n\n  Brian Karpe, Audit Manager, (410) 966-1029\n\nAcknowledgments\n\nIn addition to those named above:\n\n  Joe Borowy, Auditor-in-Charge\n\n  Cheryl Robinson, Writer-Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 966-1375. Refer to Common Identification\nNumber A-13-04-24046.\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)\n\x0c                               DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\n\n\n\nSSA\xe2\x80\x99s Internal Use of Employees\xe2\x80\x99 Social Security Numbers (A-13-04-24046)\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'